[00:06.980 --> 00:11.960]  So, hi to everybody at the Aerospace Village and dialing in for our panel,
[00:11.960 --> 00:15.280]  where we're going to be talking about the hacker community and ISACs.
[00:15.280 --> 00:20.460]  I'm Pete Cooper, the Director of the Aerospace Village, and I'm going to be hosting for the next 50 minutes.
[00:20.860 --> 00:26.960]  Now, across the aerospace sector, good faith security research has played a hugely key role
[00:26.960 --> 00:29.400]  in highlighting both risks and vulnerabilities.
[00:29.600 --> 00:32.620]  But if the researcher or hacker can't find a good point of contact,
[00:32.620 --> 00:35.060]  then approaches about potential vulnerabilities
[00:35.560 --> 00:38.920]  hasn't always been potentially welcomed with open arms.
[00:39.380 --> 00:43.280]  The Aerospace Village really looks to help build bridges and trust
[00:43.280 --> 00:46.160]  between the hacker research community and the aerospace sector
[00:46.160 --> 00:50.800]  so that we can have those pathways to talk about what potential challenges there are
[00:50.800 --> 00:53.800]  and that we can work better and be more safe and secure.
[00:54.120 --> 00:59.120]  ISACs are seen often as a key point of contact for researchers and hackers
[00:59.120 --> 01:01.840]  who want to reach out if they think they've found an issue,
[01:01.840 --> 01:05.240]  but also struggle potentially with reaching the vendors.
[01:05.660 --> 01:09.060]  So how best do we create those relationships across hackers and ISACs
[01:09.060 --> 01:12.500]  to learn the lessons of the past and build the trust that we need?
[01:13.080 --> 01:16.160]  To see what's worked, what hasn't worked, and what we can do going forwards,
[01:16.160 --> 01:19.700]  it's fantastic to have just the right people to talk about this.
[01:19.780 --> 01:25.520]  So on the panel, we've got Erin Miller, who's VP of Operations for the, I think fair to say,
[01:25.520 --> 01:31.380]  newly minted Space ISAC, and soon reaching IOC this year.
[01:31.380 --> 01:35.200]  We've got Jeff Troy, who's President and CEO of the Aviation ISAC.
[01:35.380 --> 01:40.760]  We've got Ken Monroe, partner and founder of Pentest Partners, and also Carpool Karaoke today.
[01:40.960 --> 01:48.840]  And then Matt Gaffney, who is Managing Director of BSSI, who actually has an aviation backdrop in his photo.
[01:49.600 --> 01:53.260]  So I'll pass over to you for short introductions, and then we'll get on to the panel.
[01:53.260 --> 01:55.140]  So Erin, over to you first.
[01:55.940 --> 01:58.840]  Hey, good day, everyone. Glad to be here.
[01:59.720 --> 02:05.000]  As Pete mentioned, and thank you, Pete, for that great intro, we are a new ISAC.
[02:05.000 --> 02:09.460]  I came to the Space ISAC actually from a public-private partnership background.
[02:09.460 --> 02:16.220]  So I've been working to bring together the commercial sector and the public sector for some time, several years.
[02:16.580 --> 02:24.060]  Traditionally, just working in rapid prototype development and ideation brainstorm sessions to generate solutions,
[02:24.060 --> 02:27.680]  in particular for the warfighter, so that's more of my background.
[02:27.680 --> 02:34.440]  Very excited for the future of the Space ISAC, and I've been working for over a year, about 18 months or so,
[02:34.440 --> 02:40.140]  to stand up the Space ISAC and get it towards the initial operating capability that we need for the sector.
[02:41.140 --> 02:44.420]  Thanks, Erin, and looking forward to seeing where it goes.
[02:44.420 --> 02:46.500]  And then over to Jeff.
[02:47.500 --> 02:53.100]  Thanks, Pete. So I'm the President of the Aviation ISAC for the last three and a half years.
[02:53.100 --> 02:57.240]  I've been with the ISAC for five years since its inception.
[02:57.240 --> 03:01.120]  It's just helping them stand up initially in their project.
[03:01.260 --> 03:07.340]  I'm also on the Board of Directors of the National Defense ISAC, and I also work for General Electric Aviation.
[03:08.840 --> 03:10.940]  Fantastic, and then Ken.
[03:11.360 --> 03:18.200]  Hi, so I'm sorry about the backdrop. Two days ago, I was sat on the cockpit of a 747, so that would have been better, surely.
[03:18.200 --> 03:23.160]  Anyway, I work for a firm called Pentest Partners, and usually several of us are pilots.
[03:23.160 --> 03:28.560]  I'm not a very good pilot. I'm the guy who landed at the wrong airfield once, but we do have a keen interest in aviation.
[03:28.560 --> 03:37.160]  And for the last couple of years, we've been working on decommissioned airframes, starting to understand how the networks work and how the security of airplane systems fits together.
[03:38.460 --> 03:42.560]  Fantastic, and then last but not least, Gaffers or Matt.
[03:42.560 --> 03:51.940]  Hi everyone, Matthew Gaffney. I am the Managing Director of BSSI UK, where I work with multiple clients across various sectors.
[03:51.940 --> 03:59.520]  But I have worked several years at the airline or operator level, working with the entry into service of new e-enabled aircraft.
[03:59.540 --> 04:11.180]  So, coming across challenges and obstacles in the entry into service of aircraft and basically doing assurance across the whole piece.
[04:12.020 --> 04:16.700]  Fantastic, and great to have you all, and it's a great spread of experience across the entire panel.
[04:16.740 --> 04:25.100]  So, I'm going to start off with Ken, and you've been working with ISACs across various sectors for quite a long time now.
[04:25.960 --> 04:33.900]  So, finding vulnerabilities, potentially not getting much out of a vendor, and then working with the ISAC is fairly common for you.
[04:33.900 --> 04:41.740]  So, from your perspective, from what you've seen, how do ISACs fit into the picture for researchers and hackers?
[04:42.000 --> 04:45.880]  Yeah, I find actually ISACs make a really good set of connections for us.
[04:45.880 --> 04:52.420]  So, if you read our blog many times over, you'll see that when we find a vulnerability, often it's not the vulnerability that's the story.
[04:52.420 --> 05:05.520]  It's how the vendor actually responds and interfaces with a security researcher that makes a difference between a really smooth, seamless, and straightforward vulnerability disclosure process, through to being a bit of a train wreck, frankly.
[05:05.520 --> 05:10.920]  And I find that the work we've done with ISACs over the last few years has really smoothed that process.
[05:11.280 --> 05:18.460]  Typically, when we're working on, I don't know, embedded components, maybe in IoT, you find something, and the vendor just doesn't listen.
[05:18.460 --> 05:26.540]  They don't get it. They don't understand. But you tend to find different problems in organizations that are perhaps a member of ISACs, because they're just so big.
[05:26.800 --> 05:38.560]  And how does a little research operation like ours get through to the very right person within a large, whether it's an auto manufacturer, or a CNI operator, or an airline?
[05:38.560 --> 05:42.300]  How do you find that right person, and how do you get them to listen to you?
[05:42.300 --> 05:48.660]  And that's where we found the ISACs have been really, really helpful, is by having a connection, by establishing trust.
[05:48.920 --> 05:56.900]  It's great to get those connections that mean that it's not just scrabbling around on LinkedIn, or sending emails into some generic mailbox.
[05:56.900 --> 06:03.780]  It's actually, it's a conversation, and then a private broker discussion, which is where the ISACs have been so unbelievably helpful.
[06:03.780 --> 06:05.360]  It makes a real difference.
[06:05.920 --> 06:11.260]  Okay, that sounds great. And it sounds like it's worked. It has worked well in the past.
[06:11.260 --> 06:26.380]  I mean, Jeff, from your perspective, having been at the front of the ISAC for quite a while now, I mean, so you first got introduced to Hacker Summer Camp in Vegas when you came on a panel with me at B-Sides a couple of years ago.
[06:27.080 --> 06:36.880]  And the conversation we had around that, because you were dealing with some vulnerabilities at the time, it was great to see some of the ideas that you were coming up with about working with the hacker community.
[06:36.880 --> 06:44.360]  So what's been your experience as the ISAC with starting to work with the hacker community now?
[06:44.700 --> 06:48.840]  So our experience has actually been a lot like Kent's.
[06:49.360 --> 07:04.700]  Initially, what we're finding is hackers are coming to us, they're either coming through a friend that they know, they're coming through us because of connections that we've made with government agencies.
[07:04.700 --> 07:12.680]  Or in some instances, we've actually had some companies call us and say, can you talk to this person first, because we're not sure we even want to talk with them.
[07:13.200 --> 07:28.240]  So there was a lot of, I think, a couple of years ago, hesitation or just a little skepticism with respect to dealing with people who were just calling in and saying that they had some information about a particular vulnerability.
[07:28.660 --> 07:32.340]  So that was probably one of the first challenges.
[07:32.340 --> 07:42.260]  And, you know, in our discussions with these folks, we found, you know, most importantly, that they come with great intentions, just good intentions.
[07:42.260 --> 07:45.260]  We want to really show you something that we found.
[07:45.420 --> 07:56.000]  And most importantly, also, they're coming in, they're saying, I'm not telling anybody about this, because one, I'm not really sure what I found, because that's one of the problems, too, that we find.
[07:56.000 --> 08:05.620]  If someone finds, for example, a vulnerability within a component of a system, they're not really sure how that impacts the whole system.
[08:05.620 --> 08:14.640]  So really good that people have come in and had, you know, one, good research, two, good intentions.
[08:14.720 --> 08:18.740]  And then three, you know, Ken highlighted this as well.
[08:18.740 --> 08:20.900]  We act really as a connector.
[08:20.900 --> 08:26.500]  I mean, if you come into the Aviation ISAC, we don't have a setup like Matt Gaffney behind him there.
[08:26.500 --> 08:27.760]  And we don't have any airplanes.
[08:27.760 --> 08:29.840]  We don't have a lab.
[08:29.840 --> 08:34.020]  We can't test for this vulnerability, but we do do that connection.
[08:34.220 --> 08:42.080]  So the ISAC is a community of researchers in product security and network security and threat analysts.
[08:42.080 --> 08:49.580]  So one thing we do have is just a great, you know, network where most times a researcher will call us.
[08:49.580 --> 08:59.260]  And within about 24 hours, we've got them in touch with a product security incident response or a similar type person inside that company.
[08:59.260 --> 09:03.960]  And we're starting to, you know, help that conversation along.
[09:03.960 --> 09:18.900]  But once that connection is made, actually, we pretty much step to the side and let the people who actually built the technology and the researcher who has, you know, this vulnerability information, let them have that direct conversation.
[09:19.780 --> 09:34.800]  Thanks, Ken. And that's actually a nice segue through to chatting to Gaffers, because Gaffers, you've just gone through this process of finding a potential snag or two on some systems.
[09:35.640 --> 09:46.460]  And actually started working with the ISAC and other organizations to try sort of getting to the bottom of it and closing off.
[09:46.460 --> 09:52.860]  So what's been your perspective of that journey from finding something to trying to close it off?
[09:53.980 --> 10:12.460]  Yes. So I was writing a paper about some of the things I'd seen, and I was curious about how much detail I could go into without causing alarm distress or basically overstepping the boundaries.
[10:12.460 --> 10:19.160]  So, you know, through the community, I reached out to the Indonesian ISAC to get some advice.
[10:20.340 --> 10:27.700]  And one thing I noticed was within 24 hours, I noticed the hits on my LinkedIn profile just exploded.
[10:28.200 --> 10:32.940]  It was just full of people from all sorts of manufacturers.
[10:33.740 --> 10:49.500]  And it was in stark contrast, really, with similar interactions, which I'd had whilst I was working at the airline, where, you know, maybe a week later you get a response and the response was very, very tepid indeed.
[10:50.820 --> 10:57.340]  So that was really the first difference I've noticed in going through the aviation ISAC.
[10:58.960 --> 11:10.060]  The second time around, the official vulnerability disclosure procedure had been developed at manufacturer level, again, I think with help from the aviation ISAC.
[11:10.800 --> 11:13.640]  So we decided to use that mechanism.
[11:14.240 --> 11:24.920]  And although the initial holding response was quite quick, it was about a working day in response, the actual full response took four and a half weeks.
[11:24.920 --> 11:30.620]  And that was because I was chasing, which I thought was a little bit slow myself.
[11:30.820 --> 11:36.660]  It wasn't a highly technical issue. It was quite, quite simple.
[11:36.660 --> 11:44.820]  And the response was no different than the first time I went through disclosing a vulnerability with a manufacturer.
[11:45.420 --> 11:56.420]  And basically it was the scenarios and the hypothesis are not credible, therefore there's no vulnerability, which is a very strange opinion to have on risk management myself.
[11:56.420 --> 12:05.980]  But I rebutted with some comments from the official response and they were left unanswered.
[12:05.980 --> 12:09.660]  Until eventually I got a this matter is closed email and that was it.
[12:10.760 --> 12:33.320]  So the difference, I suppose the outcome was very similar, but I would say the response, the initial response was much better because the first time I went through this, it took several months to get to any kind of, any kind of satisfactory resolution, which it wasn't in the end really, it was only a halfway house.
[12:33.320 --> 12:40.160]  But with the Aviation ISAC going through the official process, it took weeks instead of months.
[12:41.000 --> 12:49.760]  Thanks for that. I want to come to that in a second, but can I just go for a straightaway follow up question to Jeff on that?
[12:49.760 --> 13:01.380]  Which is, if on one hand you've got a researcher such as Gaffers who's saying, I think I've found something, but the response from the manufacturer, the vendor is, well, actually there's nothing there.
[13:01.380 --> 13:11.420]  But we can't really tell you there's nothing there. With the ISAC in the middle, and you're funded by the manufacturers, how do you reconcile that?
[13:11.880 --> 13:20.800]  That's a great question. And I think it's kind of like that great abyss that is so hard for us to get across.
[13:20.800 --> 13:30.900]  So when you have a researcher who has information and they believe that, you know, this is a vulnerability, particularly one that needs to be addressed.
[13:31.400 --> 13:42.520]  As I said, we can't validate it. I don't have the equipment. I don't have the specialists to be able to do that. The best I can do is get you in touch with the right people who do have it.
[13:42.520 --> 13:53.700]  And hopefully through the relationship builds that have happened over the years that, you know, there'll be a good exchange there.
[13:54.360 --> 14:07.360]  When you get to a situation where the process has been completed and the manufacturer is not validating that vulnerability has any impact.
[14:07.360 --> 14:17.740]  I think it is an extremely difficult situation at that point in time, because you've got someone, you know, like Gaffer's, they've got an incredible mindset, right?
[14:17.740 --> 14:25.500]  It's, hey, I'm challenging things that people are saying are secure. And I am not sure, you know, that this is because of something that I've found.
[14:25.500 --> 14:41.180]  And that is what I think is the treasured trait of every security researcher. Their ability to dig in and try and find a way around the system that someone said there's no way around is what leads to the great security research that we have.
[14:41.180 --> 14:55.440]  The unfortunate part is, is that if someone has tested it against that system, and they know why it doesn't work, and they don't want to pass that information over back over to the researcher, then you have this gap.
[14:55.440 --> 15:14.720]  Because the researcher's mindset is, hey, I think this is great. You need to show me how come. And there's a... now you have that question of, well, where does my intellectual property and my security controls stop, you know, in respect to trying to protect them?
[15:14.720 --> 15:21.840]  And where does the research information, you know, kind of come together? How do we meet in the middle there?
[15:21.840 --> 15:38.260]  And that is something that I think is going to take some more time in terms of that conversation and how much people are willing to, manufacturers specifically, are going to be willing to share in that area.
[15:39.420 --> 15:46.860]  There's been a lot of great work. Pete, you've done a lot of work trying to bridge the discussions between these communities.
[15:46.860 --> 15:59.760]  And, you know, we've seen pretty much a community that really wasn't talking to researchers at all really starting to embrace them now and have a lot more conversations, which has been good for both.
[15:59.760 --> 16:12.400]  I think the researchers are finding out, hey, you know, these are good people trying to secure really high technology, and the companies are saying these are really good people who are trying to make sure that technology is well secured and I haven't found a way.
[16:12.400 --> 16:20.860]  So this is all good in my mind in that the process of building trust takes a long time.
[16:21.020 --> 16:39.940]  And I think things are moving in the right direction. And it's these types of conversations, these environments, the village, these things that are happening that are going to continue to bring together the parties and try and close that gap of when you have these types of situations.
[16:39.940 --> 16:48.120]  In terms of what the manufacturers will be willing to share in terms of information with the researchers.
[16:48.780 --> 17:02.300]  Thanks, Jeff. And yeah, that brings it around nicely to probably the newest ISAC on the block in the aerospace sector, which is Erin and the space team.
[17:02.300 --> 17:21.280]  I mean, Erin, all of the conversations that have been sort of like going on there with the challenges and the opportunities that the aviation ISAC has gone through and Gaffers and Ken as examples of the researcher and hacker community.
[17:21.280 --> 17:36.540]  With you sort of being the newly minted IOC later on this year, Space ISAC, what's your sort of vision going forwards for how you want to play this and how you want to take the Space ISAC forwards?
[17:38.500 --> 17:39.780]  Muted.
[17:42.770 --> 18:06.330]  Thanks, Pete. I think since Space ISAC is new and we have sort of a clean slate here, then there's a lot of opportunity to leverage the lessons learned. There's almost like a legacy of how ISACs operate and some things good, some things bad, and we want to make sure that we fully explore and understand what we can do the best.
[18:06.330 --> 18:26.250]  So listening to everyone talk, then I think, you know, there's some great takeaways, you know, having that open line of communication available and we have that today. So we are currently accepting communication, you know, to the Space ISAC at our info at s-isac.org email address from anyone.
[18:26.250 --> 18:40.650]  So I would say that part of our vision is starts now. Like I would encourage anyone to contact us with ideas on how Space ISAC can be that broker between the public and private sector, but also that extends to researchers.
[18:41.710 --> 18:51.130]  Part of the vision of Space ISAC does include that we have universities as members. So that makes us a little bit different than some other ISACs, not all.
[18:51.130 --> 19:07.390]  We also have international members. So that makes us a little different too. I think it's really cool to think about space as a global community. And so other ISACs have done and we intend to expand out and have members from all across the globe.
[19:09.170 --> 19:18.970]  Since not everyone here is familiar with Space ISAC, just a little bit of history. It was launched by the White House. So that's interesting in and of itself.
[19:18.970 --> 19:29.870]  The White House for representing the US government came forward and said, you know, we really want to see the public private sector come together and share information about threats and vulnerabilities about
[19:29.870 --> 19:46.310]  regarding the space community. And after they made that announcement, then we were able to start going out and asking members to join the board. So we're still very new and that we just opened our general membership on May 1 of this year.
[19:46.310 --> 20:02.730]  And when we hit our IOC, that will mean that we have the ability to actively share threat intel through an intel platform. We'll also have workshops and events that are available to the space community published at that time. And that's coming later this summer.
[20:02.730 --> 20:19.590]  So now is the time definitely for us to open that line of communication. And we would invite, you know, like I said, anyone's perspective on how to stand up the best vulnerability disclosure program. I've already talked to some of our board members about doing that.
[20:19.590 --> 20:38.910]  So really looking forward to the opportunities that we can bring to the space community. This one will make us even better. I believe that an ISAC really is the prime organization to be able to have this type of dialogue and to engage in this way. So thank you.
[20:38.910 --> 21:01.350]  And that's great. And it's great to hear all the work that's going on in the background. I mean, have you... so with space, I mean, a lot of the focus is on mission critical. So that's the mantra that always gets talked about with space ops. I mean, a lot of the discussion for aviation will be safety and security.
[21:01.350 --> 21:30.390]  So driving risk as low as reasonably practicable. With the space sector and your members and what you're hearing from your side of it, is there still this... what's the general feeling at the moment when it comes to cyber security? Because people tend to banter that cyber security of space assets is generally... I mean, I think the expression I heard the other day was in the 80s.
[21:32.070 --> 21:55.110]  But obviously, that is going to be something which is openly debatable. But what's the general feeling about the maintaining that mission critical status and having cyber security upfront and focused on that? And then looking for the vulnerabilities and working and open to working with researchers? Are you getting that feeling from your members and the people you're speaking to?
[21:55.790 --> 22:13.530]  The feeling I get is that more information is better. So if information comes to the ISAC, then it's our job to get it shared with the members that it is most relevant to. So we are already operating in that role right now.
[22:13.530 --> 22:28.690]  Cyber security for space or security for space is very broad. And the general feeling is that we should have stood up a space ISAC two decades ago. Maybe that's what your comments were indicating.
[22:28.690 --> 22:49.390]  Because there's a lot of vulnerabilities that hit cyber security, hit the business system. And they actually have a lot of relevance specifically to space applications. And other entities might view them differently. But if you're a space company, then you really need to know the direct implications of that threat to the space mission.
[22:49.390 --> 23:14.170]  So it is definitely all about space mission and protecting the space critical infrastructure. And that's where our entire focus will be. So if somebody has access to information that is related to a threat to space critical infrastructure, which will eventually publish what that means to our members, what is space critical infrastructure, and that'll help scope some of that discussion.
[23:14.170 --> 23:36.550]  But I mean, if you define it as space critical infrastructure, and you think that the space ISAC should know about it, then I would say that's what our members are going to care about, from what I can tell. We've actually also engaged in a partnership, I should mention, with the Air Force Research Lab that runs that hack-a-sack that's happening this year right now.
[23:36.550 --> 23:49.430]  And so just even that step forward shows me that the members are really excited about partnering on challenges or developing our own challenges that will be open to the broader researcher community.
[23:49.430 --> 24:07.850]  Thanks, Aaron. Yeah, and to be honest, it's just nice talking about aerospace cybersecurity and having hackers and researchers working together because it felt like three years ago that talking about vulnerabilities in aerospace systems is something that we didn't really want to do.
[24:07.850 --> 24:29.130]  So actually, part of this is building up this dialogue so we can have that as an informed dialogue. But as we go forwards, I think, I mean, we've all had conversations in the past about trying to make sure we learn from what's happened in the past. So really trying to dig into some of these challenges is...
[24:29.130 --> 24:43.350]  What's been, and I'll pass it over to Ken, what's been the standout sort of examples of where things have really worked well and made a difference and where things really haven't worked well?
[24:44.050 --> 24:50.410]  Gosh, there's a few of those. I want to pick up on a point that Jeff made, and you used the word new, which I think is actually really important here.
[24:51.770 --> 24:58.830]  Because cybersecurity research in aviation is pretty new. I mean, we've been working on airframes for two, two and a half years now.
[24:59.070 --> 25:11.230]  And you've got to remember, this is an industry that perhaps is very heavily regulated. It believes it has safety well in hand, so it's extremely open to inspection, but also fiercely protective of intellectual property, rightly so too.
[25:11.230 --> 25:24.050]  So this is a new thing. The industry is also hurting at the moment with the COVID-19 issues, and also smarting at it from some of perhaps less helpful coverage in the past around aviation cyber.
[25:24.050 --> 25:34.430]  So I think it's really important we talk about building trust in this community. And what's often raised as a subject when you're doing vulnerability disclosure of non-disclosure.
[25:34.430 --> 25:41.210]  And that's a really sensitive area. So it's pretty rare outside this space that you'd be asked to sign a non-disclosure agreement.
[25:41.210 --> 25:46.790]  But also, you have to balance that with, as a researcher, do you want to know more? Do you want to understand in detail?
[25:46.790 --> 25:59.250]  But at that point, you might consider signing a non-disclosure agreement in certain areas that allow the manufacturer to talk to you in more detail, feel more like they've got more trust in you, that you're not going to take everything that they've told you and splatter it across the press.
[25:59.250 --> 26:15.250]  And I think that's a really, really important point. So I think many researchers should think carefully about that. Or maybe we should consider actually NDAs for certain areas. Perhaps certain bits of discussion do need to be covered by non-disclosure and certain, well, maybe not so.
[26:15.250 --> 26:24.070]  And I think that's a really important learning point. And I think that also leads us back into some examples of where things have gone really well, and some examples of where things have gone really badly.
[26:24.070 --> 26:39.510]  I can think of the biggest issue just being generally where there's no communication. So where the researcher does what they believe to be the right thing, makes communication, establishes, discloses everything they've got, and then things go quiet for a while.
[26:39.510 --> 26:57.690]  And it may be that the vendor in that case is actually working really diligently exploring every option and trying to add some detail, but they don't communicate. And I think in Gaffer's case, that's potentially what went wrong there. Perhaps if there'd been a more regular dialogue with the vendor reaching out and going, hey, I know we haven't spoken to you for a while.
[26:59.770 --> 27:03.550]  I think that would have made you feel a lot happier about things, hey Matt?
[27:03.550 --> 27:19.190]  Yeah, absolutely. I just felt that the communication was a bit cut, in general. And it wasn't an open flowing dialogue at all. It was very much, yep, thank you for your submission, we'll look at it. And then nothing else.
[27:19.670 --> 27:30.330]  There was no questioning of what I had proposed, no questioning of what I'd submitted. It was just that, yeah, we'll take it away and look at it.
[27:30.330 --> 27:36.430]  And that was it. It was just, and then when I chased them for an update, it was like, oh, here's the response.
[27:37.370 --> 27:38.870]  There it is, that's it.
[27:39.930 --> 27:45.410]  And, you know, annoyingly, with my work at the operator level, I actually knew a lot of these people.
[27:45.970 --> 27:57.410]  Anyway, you know, it's not like I've never actually met them in person. I have. So to not have that level of trust, I think, is really disappointing.
[27:57.410 --> 28:05.410]  And it is something where I think, you know, the whole industry, researchers and the manufacturers could really improve.
[28:05.730 --> 28:16.290]  A good example of that. So, you know, compare us to where we were perhaps a year ago with DEF CON and Black Hat in 2019, which was perhaps partly a difficult time for the aviation cyberspace.
[28:16.290 --> 28:24.790]  But yeah, here we are a year later. And for example, Boeing is going to set up a Cyber Technical Advisory Council, actually inviting researchers onto the inside.
[28:24.790 --> 28:29.890]  I mean, what a huge win that is, both for researchers and for the industry. It's fantastic progress.
[28:29.890 --> 28:42.430]  And I think it's amazing that a vendor who was perhaps really hurting from some difficult coverage last year and a difficult interaction with researchers has now completely come around and engaged practically.
[28:42.430 --> 28:43.830]  And I think that's a huge step forward.
[28:43.830 --> 28:50.350]  So it is new. It is new to the industry. But yes, it will take time. But trust is being established.
[28:52.330 --> 28:53.970]  Jeff, do you want to come back on that?
[28:55.290 --> 29:01.550]  Yeah, I just actually took down a note here because I want to make sure I share it with all the members across the ISAC.
[29:01.910 --> 29:07.890]  And what I wrote down basically is a vulnerability disclosure program does not equal a link on a website.
[29:07.890 --> 29:11.550]  And I think that's a really important point here, right?
[29:11.550 --> 29:20.610]  I mean, we've got all these companies out there who are now making it easier for them to be contacted, but it doesn't end there, right?
[29:20.610 --> 29:27.210]  So I got your submission. I need to have that conversation. I need to engage with this researcher.
[29:27.550 --> 29:35.290]  And I think that's just a really important point. I'm really glad you brought that up because that's a part of the maturation process.
[29:35.290 --> 29:43.190]  You know, okay, the door's there, but if you don't answer the door and welcome the people in for the conversation, then, you know, it's kind of an odd relationship.
[29:43.190 --> 29:50.550]  They're just standing on the front step, right? And so we need to bring them in the living room and sit down and have the conversation.
[29:52.390 --> 29:59.610]  Researchers spend their own time, their own money, their own efforts doing this. And it's great when we feel valued.
[29:59.850 --> 30:04.030]  And, you know, we can help, you know, the aviation industry can benefit from what we do.
[30:04.030 --> 30:07.630]  It's just that level of value and interaction makes such a difference.
[30:07.850 --> 30:18.570]  And actually, if you look at the... if a researcher and a hacker find something and then tries to approach and do the right thing in talking through good faith research and saying,
[30:18.570 --> 30:24.170]  I think there's an issue here, a lot of the risk is really on the researcher. It's not really on the manufacturer.
[30:24.170 --> 30:32.050]  So a lot of that effort, I think, really has got to come from the vendor to say, we're open and we're willing to engage in all of this.
[30:32.050 --> 30:39.750]  Geoff, one of the areas I think is quite contentious in security research in aviation is the subject of non-disclosure. I mean, where does the ISAC sit on that?
[30:40.510 --> 30:52.950]  So, great question. Really, the issue with the non-disclosure is that if you sign a non-disclosure agreement with someone, there's still a risk that they're going to violate the non-disclosure agreement.
[30:52.950 --> 31:06.710]  And although there's recourse if someone violates a non-disclosure agreement, what you wanted to keep protected from being publicly disclosed ends up getting out there. So this is, again, a matter of trust.
[31:06.710 --> 31:28.410]  And you've seen this, Ken, because you have a company that does pen testing, right? Not every company wants to hire every pen tester. And, you know, that's one of the problems. It's like they're looking a lot of times for companies that, hey, have you worked with these guys before? Have you worked with these pen testers? Do you think they do a good job?
[31:28.410 --> 31:54.290]  Do they, you know, actually hold your intellectual property close? Those are the types of questions that I'm sure you've had grilled, right, as you walk into different engagements. And that is one of the problems, particularly for newer researchers, because it's like, well, what if you don't know me, right? I've still got great research. I'm a very trustable person, but we just don't have a history yet.
[31:54.290 --> 32:17.290]  And that is a situation where I think it may be solved by the community building itself up. As the community builds itself up, other researchers who do have, let's call it street cred, right, out there, they're able to vouch for people who have come in and say, well, I've worked with that person. I know that person.
[32:17.290 --> 32:30.410]  You know, those types of trust building activities, I think, are going to have to happen to support the idea of entering into an NDA with a new researcher.
[32:57.890 --> 33:17.270]  I mean, can I just... we've got to be... I just want to unpick some of the language, because when we talk about building up and using street cred and things like that, I mean, surely we need to get to a position where, irrespective of who is bringing it up, if it's being brought up in good faith, and being engaged on good faith, then it's going to work.
[33:17.270 --> 33:41.750]  But if it's being brought up in bad faith, whether somebody's got street cred or not, we've got to make sure that they are listened to. Because if we go to the safety critical aspect, or from the space perspective with Erin and her team from a mission critical aspect, if anybody brings up a potential safety issue, then the safety management team are behoven to listen to it, irrespective of who it is.
[33:41.750 --> 34:00.070]  So surely we've got to go for the same perspective when it comes to researchers and them trying to flag issues. It shouldn't be... I don't feel there should be a gate of entry of credibility or not. It should be, we've just got to have that dialogue, and they've got to be able to reach people. Gaffer, you're nodding a lot.
[34:00.070 --> 34:22.330]  Well, yeah, because I mean, I get a lot of, you know, imposter syndrome in this industry, because I'm not a pen test. I'm not like Ken. I don't spend my life, you know, reverse engineering IoT and doing all this kind of stuff. I was just doing information assurance on behalf of my client and found these things. And, yeah, like I said, I'm not a pen test.
[34:22.330 --> 34:42.170]  I haven't really called myself a researcher until recently when I kind of thought to myself, well, yeah, I'm actually doing things in my spare time, looking at things, using open source documentation, et cetera, et cetera. And, yeah, I suppose I am a researcher, but I never really thought of myself that way, especially when I did these disclosures.
[34:42.170 --> 34:53.050]  So, yeah, the bar has to be not your cred. It has to be, you know, you're coming in with an issue and, like I said, we're doing it in good faith.
[34:53.430 --> 35:09.830]  I mean, Erin, from your perspective and how you're building out the space ISAC team, are you looking at the structures and processes of how you can potentially engage in this way to try and make sure these doors are fully open?
[35:13.480 --> 35:41.380]  Yes. So I've started the conversation with the current members of the space ISAC. And as the space ISAC grows, then I think this will be a conversation that we have with everyone who joins the organization to ask them about having a vulnerability disclosure program, what their experience is with that, and making sure that we can shepherd the conversation from the point, you know, where someone knocks on the door to us opening it to us having the conversation to then
[35:42.100 --> 36:00.140]  brokering the conversation with the member. And I think the only way to really do that is to, like I said, talk to members when they join the organization about their perspectives on this, because otherwise you don't have a cultural adoption of it.
[36:00.140 --> 36:23.180]  Because that's really, from what I'm hearing from everyone, then that's what this is all about. And that's great for me, because that's the kind of stuff that I love. Like when I did design sprints with the private sector and the government, then that was all about changing culture. And so shaping culture is mostly driven by conversations and introducing new ideas and then kind of testing them.
[36:23.180 --> 36:46.240]  So I think that's what we'll be doing in the space, Isaac, is if someone knocks on our door, then they, people, someone has to realize that if they knock on our door right now, then it's the first time it's ever happened. But we're willing and open to taking, walking the path with them and having the conversation with the company or the member that has the vulnerability that they're approaching us with.
[36:46.240 --> 37:00.260]  And I'm just going to pick up though, because culture, yeah, massively important, but with both aviation and space, as have been previously mentioned, it's massively highly regulated. So regulators are there for both safety and security.
[37:01.740 --> 37:19.160]  And last year, there was a massive step forwards where, for example, ICAO, which is the UN body for aviation, actually has a line in their cyber strategy now, which says that states must give adequate protection to good faith security researchers, which is great.
[37:19.160 --> 37:32.980]  So from a very top level at ICAO and the UN, this is sort of being recognized and hopefully will filter down. But what's the relationship like with, for example, the regulators in this space?
[37:33.660 --> 37:52.780]  Because this is a safety critical industry. If a researcher is flagging potentially a safety critical issue, who really gets to decide whether it's safety critical or not? And from Erin, from your perspective, is there that structure yet, whereas you would see in the space sector?
[37:54.220 --> 38:03.340]  So obviously the space sector is regulated, but it's not as regulated as it could be, and maybe will be in the future in terms of cybersecurity.
[38:03.720 --> 38:13.240]  So I think the Space ISAC, part of the intention of standing it up is to promote dialogue with prospective regulators.
[38:13.240 --> 38:32.900]  So, you know, in the future, there will be agencies that are responsible for managing space traffic management. They could send regulation down as a result of that designation. And the communication between the private sector and that agency is critical. And that's what the Space ISAC is for.
[38:32.900 --> 38:59.620]  So we have at least 18 different agencies that we're partnered with informally right now, and we're working on formalizing those partnerships. So I believe there's a lot of opportunity for the interactive dialogue. We are seeing it today with certain agencies contacting us and asking for information to be shared in both ways. So they share information with us, and as we're able to, we share information with them.
[38:59.620 --> 39:22.600]  And hopefully, and you can tell us how this goes, potentially, whether yourselves can be an advocate of why good faith security research and working with the research community would be good across the space sector. I mean, the work from what you're talking about there, it sounds like that you're going to be quite well at the forefront of that as the Space ISAC.
[39:23.500 --> 39:41.840]  Going back to the regulator's perspective from an aviation side, Jeff, from the Aviation ISAC perspective, if somebody comes to you with something that you think could be a safety-critical issue, do you deal with that differently compared to if it was an issue on a non-safety-critical system?
[39:42.880 --> 40:00.300]  No, we really don't. So what we do is, again, we don't have the capacity to validate whether or not it is a safety-critical issue or not. I mean, there may be an assertion from the researcher that it is, but we don't have the ability to make that conclusion.
[40:00.300 --> 40:30.280]  So we're going to be providing the information by linking the researcher up to the manufacturer and letting them go through that process. If it's a safety-critical issue, the manufacturer may be required under their regulatory requirements to actually make a report to their regulator as to what the particular issue is and then how that's going to be resolved.
[40:30.300 --> 40:41.960]  So there's a whole body of governance over the manufacturers to have to make those types of notifications.
[40:42.220 --> 40:55.560]  And there are also lots of other front doors that the researchers can use, for example. So DHS has a front door for researchers. I don't think the FAA has a front door for researchers.
[40:56.580 --> 41:02.300]  But, I mean, Ken, have you seen the different pathways that have been used?
[41:03.220 --> 41:12.720]  Yes, so we haven't struggled so much recently. And I think that's partly because we've had access to ISAC, who know who to ask or can make a subtle introduction if required.
[41:12.840 --> 41:18.980]  But I have seen other researchers publishing on Twitter saying, has anyone got a security contact at X?
[41:18.980 --> 41:25.300]  And that's a really difficult way of... I think sometimes it draws attention, sometimes it's unhelpful.
[41:25.400 --> 41:33.860]  And I don't know if that's the most constructive way, but it does reflect a lack of ability of the industry to receive researchers.
[41:33.920 --> 41:40.040]  So I'd say to researchers, try a bit harder, but I'd also say to the industry, listen a bit harder and make it a bit easier.
[41:40.900 --> 41:45.280]  Well, that sounds like quite a good segue to start wrapping up.
[41:45.760 --> 41:57.300]  So, Gaffers, have you got a sort of like final thoughts that you want to sort of, having been talking about this for a while now and having gone through it yourself, have you got some wrap up thoughts for yourself?
[41:57.300 --> 42:10.080]  Yeah, I mean, so from an airline perspective, a lot of the cyber security controls come down to the airline as recommendations.
[42:10.180 --> 42:17.160]  You know, so when you look at all the documentation and the regulation paperwork, there's nothing that says you have to do this.
[42:17.160 --> 42:27.440]  They're all recommendations. And a lot of the documentation, they will, you know, dedicate 95% or more of the words towards non-cyber stuff.
[42:27.440 --> 42:30.700]  And there's a tiny little bit at the end about, well, think about doing this.
[42:31.620 --> 42:40.280]  And I think that the manufacturers as well, they will provide their own recommendations of security controls to put in place.
[42:40.280 --> 42:44.960]  But then there's a disconnect because the manufacturer will have done their risk assessment.
[42:44.960 --> 42:52.680]  They will know what the risks are, produce recommendations for the operator to implement.
[42:53.100 --> 43:05.520]  But then the operator implements them with no way of assessing their quality because there's that disconnect between the risk assessment, which the manufacturer has done, which is obviously secret, and the work that the operator does.
[43:05.520 --> 43:10.580]  And I think that there's something in the middle there that's missing. And it could be the regulator. It could be the ISACs.
[43:11.040 --> 43:13.280]  I don't know, but I think there's a better way we can do this.
[43:14.580 --> 43:24.380]  Really from the, although there might be one front door for the researchers, it's all of the network of communications and information sharing behind that that also challenges remain.
[43:24.860 --> 43:25.520]  Yeah.
[43:25.660 --> 43:26.640]  OK.
[43:27.260 --> 43:31.740]  Ken, you were very pithy earlier, so I'll give you one last chance.
[43:32.080 --> 43:38.520]  So I think one key point is security research is happening in aviation more and more.
[43:38.560 --> 43:41.660]  Partly on the back of COVID-19, airframes are being retired.
[43:41.660 --> 43:49.280]  I was offered an entire operational 747-400 that last flew a month ago for 200,000 bucks just this week.
[43:49.280 --> 43:53.800]  OK, I didn't have engines, but everything else was intact. Plug it into ground power, the whole thing works.
[43:53.800 --> 44:00.360]  So yeah, 200Gs is a lot of cash, but it's starting to come into the price range of research firms.
[44:00.360 --> 44:02.480]  So more and more research is going to happen.
[44:02.480 --> 44:07.680]  So now's the time to take the opportunity, engage with researchers, make it easy to interact with them.
[44:07.680 --> 44:09.500]  And let's step up.
[44:10.340 --> 44:15.260]  Fantastic. And then I'll come across to Erin for yourself next.
[44:17.400 --> 44:27.720]  Yeah, so I think the way forward for the Space ISAC is to take the advice and the lessons learned from this group in particular and others.
[44:27.800 --> 44:35.520]  I've talked to some other ISACs as well out there to get insights and perspectives on how to do this the best.
[44:35.520 --> 44:40.940]  Space ISAC does have some interesting things in its future.
[44:40.940 --> 44:44.820]  We will, in 2022, have a vulnerability lab.
[44:44.820 --> 44:53.840]  So that may bring in a different dynamic to the Space ISAC and open some great opportunities to do testing of vulnerabilities.
[44:54.280 --> 45:01.500]  Definitely don't want to have anyone leave thinking that just because it's in space doesn't mean it can't be hacked.
[45:01.500 --> 45:08.820]  So we're really looking forward to the future and engaging the researcher community.
[45:09.280 --> 45:15.900]  And hope that someone actually reaches out and shares their ideas because I really want to read them and follow up.
[45:15.900 --> 45:22.680]  So I'll drop the address that I gave before, info, I-N-F-O at s-isac.org.
[45:22.680 --> 45:24.920]  Feel free to hit me up. Thanks.
[45:24.920 --> 45:36.520]  And I think we all look forward to hearing about your IOC coming up and look forward to how you take it forward and being there to help you and the community as it goes forward.
[45:36.520 --> 45:40.500]  And then, Jeff, you and I have had these conversations a lot.
[45:40.780 --> 45:46.480]  So it's great to have you here. Wrap up thoughts from yourself, please.
[45:47.040 --> 45:52.080]  So I think something that Ken highlighted is just critically important.
[45:52.080 --> 46:06.520]  I mean, the fact that people, particularly because of COVID-19, can now get more access to equipment, that is going to absolutely open up more research being done on planes.
[46:06.520 --> 46:10.300]  So that fact is critically important.
[46:10.300 --> 46:21.120]  The other thing, I think it's been a theme through the whole conversation we've been having here, is that communication and building bridges is just critically important between the community and the industry.
[46:21.120 --> 46:35.260]  And so as we continue to strengthen that bridge and have more of those conversations and good exchanges, again, I think people are just going to continue to see that on both sides of the equation here,
[46:35.260 --> 46:52.800]  there's just really good, smart people who have common ground with respect to safety in the industry. And keeping that conversation open and that mindset open is going to help these great ideas get passed back and forth and just make the whole industry more secure.
[46:53.480 --> 46:55.380]  Thanks, Jeff. And thanks to all of you.
[46:55.380 --> 47:05.900]  I think it really shows from all of the themes that have been picked up that actually there is no straight path to building trust across such a diverse group of stakeholders.
[47:06.680 --> 47:15.120]  There is no one right answer for how best we can help the researcher and hacker community work with industry.
[47:15.120 --> 47:35.960]  But the one thing we do know that will help is conversations like this, learning from each other and actually trying to positively engage across all of those different stakeholders and have a good drumbeat of communication so that when people are flagging things up,
[47:35.960 --> 47:50.780]  then it's actually a good positive engagement all the way through. And that's the way we learn all of us together. And that's the way that we can help the industry be safer and more secure. So I just want to make a huge thanks out to all of you.
[47:51.320 --> 48:09.760]  This is in the heart of the envelope of exactly what the Aerospace Village is about to try and help build bridges and the community around such a great topic. Please stay safe and look forward to chatting with everybody on Discord straight after this for about an hour. Thank you very much.
